From ea61d198f2ae883f57e7f8b9d8a0c4d74473ab2f Mon Sep 17 00:00:00 2001 From: Jooyung Han Date: Wed, 24 Apr 2019 10:45:40 +0900 Subject: [PATCH] Adding vendor_apex_file for /vendor/apex apexd needs to read /vendor/apex dir and files in it. Bug: 131190070 Bug: 123378252 Test: 1. Add apex to /vendor/apex -> see if boot succeeds with new policy 2. Add flattened apex to /vendor/apex -> see if only root files are labelled as vendor_apex_file Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350 --- private/apexd.te | 4 ++++ private/compat/26.0/26.0.ignore.cil | 1 + private/compat/27.0/27.0.ignore.cil | 1 + private/compat/28.0/28.0.ignore.cil | 1 + private/file_contexts | 2 ++ public/domain.te | 1 + public/file.te | 2 ++ public/kernel.te | 7 +++++-- 8 files changed, 17 insertions(+), 2 deletions(-) diff --git a/private/apexd.te b/private/apexd.te index b3aabea9a..d0ec9f4c0 100644 --- a/private/apexd.te +++ b/private/apexd.te @@ -50,6 +50,10 @@ allow apexd staging_data_file:file unlink; allow apexd staging_data_file:dir r_dir_perms; allow apexd staging_data_file:file { r_file_perms link }; +# allow apexd to read files from /vendor/apex +allow apexd vendor_apex_file:dir r_dir_perms; +allow apexd vendor_apex_file:file r_file_perms; + # Unmount and mount filesystems allow apexd labeledfs:filesystem { mount unmount }; diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil index 45e1dd9e8..3c6ba08b2 100644 --- a/private/compat/26.0/26.0.ignore.cil +++ b/private/compat/26.0/26.0.ignore.cil @@ -195,6 +195,7 @@ usbd usbd_exec usbd_tmpfs + vendor_apex_file vendor_init vendor_shell vold_metadata_file diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil index 0e830f82c..3b9bd52e0 100644 --- a/private/compat/27.0/27.0.ignore.cil +++ b/private/compat/27.0/27.0.ignore.cil @@ -171,6 +171,7 @@ usbd usbd_exec usbd_tmpfs + vendor_apex_file vendor_default_prop vendor_init vendor_security_patch_level_prop diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index 2ea4d2c04..f07103d95 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -137,6 +137,7 @@ traced_lazy_prop uri_grants_service use_memfd_prop + vendor_apex_file vendor_cgroup_desc_file vendor_idc_file vendor_keychars_file diff --git a/private/file_contexts b/private/file_contexts index 4f0690b0b..9e7bba7bd 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -352,6 +352,8 @@ /(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0 /(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0 +/vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0 + # HAL location /(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0 diff --git a/public/domain.te b/public/domain.te index 634a5c558..a4156467a 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1003,6 +1003,7 @@ full_treble_only(` vendor_file_type -same_process_hal_file -vendor_app_file + -vendor_apex_file -vendor_configs_file -vendor_framework_file -vendor_idc_file diff --git a/public/file.te b/public/file.te index c8953dec4..d906b7f6c 100644 --- a/public/file.te +++ b/public/file.te @@ -286,6 +286,8 @@ type dhcp_data_file, file_type, data_file_type, core_data_file_type; type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type; # /data/app-staging type staging_data_file, file_type, data_file_type, core_data_file_type; +# /vendor/apex +type vendor_apex_file, vendor_file_type, file_type; # Mount locations managed by vold type mnt_media_rw_file, file_type; diff --git a/public/kernel.te b/public/kernel.te index 50e72c2b1..99ad01404 100644 --- a/public/kernel.te +++ b/public/kernel.te @@ -85,8 +85,11 @@ allow kernel vold_data_file:file { read write }; # Needed because APEX uses the loopback driver, which issues requests from # a kernel thread in earlier kernel version. allow kernel apexd:fd use; -allow kernel apex_data_file:file read; -allow kernel staging_data_file:file read; +allow kernel { + apex_data_file + staging_data_file + vendor_apex_file +}:file read; # Allow the first-stage init (which is running in the kernel domain) to execute the # dynamic linker when it re-executes /init to switch into the second stage.